Channels

Services

Facebook to pay for security hole reports

Facebook say they will now pay a $500 bounty for reports of vulnerabilities in the social networking service. The bounty will be paid for reports which follow the company's "Responsible Disclosure Policy" which asks for reasonable time to respond before details of the vulnerability are made public, and a "good faith effort" to avoid privacy violations, data destruction or service degradation whilst performing that research. If researchers keep to this policy, Facebook says it will not bring a lawsuit or ask the police to intervene.

Bugs that should be reported are ones that could compromise either the integrity or privacy of Facebook user data; Facebook suggests these could include cross-site scripting (XSS), cross-site request forgery (CSRF) or remote code injection. The company says it is not offering a bounty for bugs in third party applications or web sites that integrate with Facebook, bugs in its corporate infrastructure, denial of service vulnerabilities and spam or social engineering techniques. Bugs can be reported on a form which asks "Are you a security researcher?" – answering "No" takes users to a generic quiz on security.

Facebook joins the browser development teams of companies like Mozilla and Google who both offer bug bounties for security vulnerabilities in their web browsing software.